CVE-2026-2421 MEDIUM

CVE-2026-2421: ilGhera Carta Docente for WooCommerce <= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter

Vendor Ghera74
Product ilGhera Carta Docente for WooCommerce
Weakness CWE-22 · Path traversal
Published March 20, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.

Explanation of Vulnerability in Simple Terms

02Summary

ilGhera Carta Docente for WooCommerce versions up to 1.5.0 contain a path traversal vulnerability that allows an authenticated administrator to read, write, or delete arbitrary files on the server. An attacker with admin privileges can manipulate file paths to access files outside the intended directory, potentially compromising site integrity and availability.

What an attacker can do

03Attacker Capabilities

Read, write, or delete arbitrary files on the server outside the intended directory.

Potential impact on your site

04Site Impact

An admin account compromise could lead to data loss, site defacement, or complete server compromise.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the WooCommerce site.

Key dates

06Disclosure timeline

March 20, 2026 CVE published
April 8, 2026 Record updated